Thursday, 3 December 2015

Share This article

Another day, another massive data breach involving the personal details of millions of unsuspecting people. It’s a little different this time, though. Electronics and toy manufacturer VTech has shut down its family-oriented Learning Lodge app store after attackers managed to gain access to the account information of nearly five million adults and kids who had signed up for the service.

Hong Kong-based VTech’s kids toys include various toy versions of tablets, laptops, and even smartwatches. They’re all positioned as educational toys and include integration with the VTech Learning Lodge app store for customization and new apps. In fact, to make just about any change to the included software, parents have to sign up for a Learning Lodge account, making a login for themselves and their offspring.

The data collected by VTech varies a bit depending on the site used to sign up (there are several different portals to creating a VTech account). Herein lies the problem. It turns out that VTech wasn’t doing a very good job of keeping that account data secure. According to the company, hackers managed to access names, email addresses, home address, IP address, download history, and password recovery questions and answers. Affected are consumers in the US, UK, Canada, Germany, China, and a number of other regions.

VTech says it has contacted all the affected customers, but it can’t do much other than shrug and offer an apology. At least VTech doesn’t have payment details, because otherwise those would probably have been leaked as well. Although, maybe that’s why VTech didn’t take the security of its database seriously enough.

The breach happened on November 14th, and has been broken down in exhaustive detailby security researcher Troy Hunt. The stolen data contains a regular CSV file with 4,862,625 rows (one for each user account) with column headings like email, first_name, last_name, secret_question, secret_answer, and encrypted password. You may be thinking, “Oh, good… at least the passwords were encrypted.” Unfortunately, it’s just a straight MD5 hash that can be cracked in no time. Everything else is in plain text, which is insane. Other CSVs contain data on the kids with IDs that connect them to the parent accounts, which have additional data.

This is a significant blunder for VTech, and closing its app store isn’t going to undo the damage. It didn’t take security seriously enough, presumably because it was “only” making kids’ toys. They didn’t even bother to use SSL. However, personal information is still personal, and now a lot more of it is floating around the Internet.